New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Journalbeat] Can't read journal logs since systemd 246 #22129
Comments
Pinging @elastic/integrations-services (Team:Services) |
This needs to be fixed in the |
@kvch In addition to that, there is that issue (also related to systemd 246+): #23220 (comment) |
How we can replicate the issue with minimal configurations journalbeat:7.10.2 has issues with Fedora 33.2.* (CoreOS)What we will do to replicate the issue
Expected Output
Behaviour on Fedora 33.20210104.3.1 (CoreOS)
[root@ip-172-16-6-197 core]# cat /etc/os-release | egrep "PRETTY_NAME"
PRETTY_NAME="Fedora CoreOS 33.20210104.3.1" Setup the journalbeat.yml [root@ip-172-16-6-197 log]# cat /tmp/journalbeat.yml
logging.level: debug
logging.to_files: true
logging.files:
path: /var/log/journalbeat
name: journalbeat
keepfiles: 7
permissions: 0644
output.console:
pretty: true
journalbeat.inputs:
- paths: ["/var/log/journal"]
seek: tail Do we have something to read [root@ip-172-16-6-197 log]# ls /var/log/journal/ec202d401c5992820776e21d113a6d85/
system.journal user-1000.journal Let's start the docker journalbeat sudo docker run \
--rm --name=journalbeat \
--user=root \
--volume="/var/log/journal:/var/log/journal" \
--volume="/etc/machine-id:/etc/machine-id" \
--volume="/run/systemd:/run/systemd" \
--volume="/tmp/journalbeat.yml:/usr/share/journalbeat/journalbeat.yml" \
docker.elastic.co/beats/journalbeat:7.10.2 journalbeat -e -strict.perms=false
.
.
2021-02-02T08:30:04.594Z INFO [journalbeat] beater/journalbeat.go:93 journalbeat is running! Hit CTRL-C to stop it.
2021-02-02T08:30:04.597Z INFO [monitoring] log/log.go:118 Starting metrics logging every 30s PROOF OF ISSUE 1
[root@ip-172-16-6-197 core]# echo 'hello world' | systemd-cat -p info
PROOF OF ISSUE 2
[root@ip-172-16-6-197 core]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
69be0030b5c0 docker.elastic.co/beats/journalbeat:7.10.2 "/usr/local/bin/dock…" 4 minutes ago Up 4 minutes journalbeat
[root@ip-172-16-6-197 core]# docker exec -it journalbeat sh
sh-4.2# cd /var/log/journal/ec202d401c5992820776e21d113a6d85/
sh-4.2# journalctl
Journal file /var/log/journal/ec202d401c5992820776e21d113a6d85/system.journal uses an unsupported feature, ignoring file.
-- No entries --
sh-4.2# journalctl --version
systemd 219
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN
[root@ip-172-16-6-197 core]# journalctl --version
systemd 246 (v246.7-1.fc33)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified What is the root cause ?I am not sure but i think
Have tested this scenario on Fedora 31.* (CoreOS) and it works as expected |
Does journalbeat read them when it is executed directly on the host? In that case it would be using the same systemd library as the host (rather than the one shipped in the journalbeat container (219)). |
Closing as inactive and Journalbeat is removed in 7.16. Please use |
Journalbeat has stopped working for us since the version 246 of systemd is out.
This seems to be the culprit: https://github.com/systemd/systemd/blob/93caec7ed612c3d5d62ee092774bb481995fc05e/NEWS#L2049-L2057
We made it work again by setting
SYSTEMD_JOURNAL_KEYED_HASH
to 0 in systemd-journald.service. It would make sense to do what's needed for journalbeat to work without this workaround.Would be happy to help if needed !
The text was updated successfully, but these errors were encountered: